Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender Public-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keys a public & a private key asymmetric since parties are not equal uses clever application of number theoretic concepts to function complements rather than replaces private key crypto Will now discuss the radically different public key systems, in which two keys are used. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, counter-intuitive though this may seem. It works by the clever use of number theory problems that are easy one way but hard the other. Note that public key schemes are neither more secure than private key (security depends on the key size for both), nor do they replace private key schemes (they are too slow to do so), rather they complement them. public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures 1
Why Public-Key Cryptography? developed to address two key issues: key distribution how to have secure communications in general without having to trust a KDC with your key digital signatures how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 known earlier in classified community The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. The concept had been previously described in a classified report in 1970 by James Ellis (UK CESG) - and subsequently declassified in 1987. Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) Public key schemes utilise problems that are easy (P type) one way but hard (NP type) the other way, eg exponentiation vs logs, multiplication vs factoring. Consider the following analogy using padlocked boxes: traditional schemes involve the sender putting a message in a box and locking it, sending that to the receiver, and somehow securely also sending them the key to unlock the box. The radical advance in public key schemes was to turn this around, the receiver sends an unlocked box to the sender, who puts the message in the box and locks it (easy - and having locked it cannot get at the message), and sends the locked box to the receiver who can unlock it (also easy), having the key. An attacker would have to pick the lock on the box (hard). 2
Security of Public Key Schemes like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems more generally the hard problem is known, its just made too hard to do in practise requires the use of very large numbers hence is slow compared to private key schemes Public key schemes are no more or less secure than private key schemes - in both cases the size of the key determines the security. Note also that you can't compare key sizes - a 64-bit private key scheme has very roughly similar security to a 512-bit RSA - both could be broken given sufficient resources. But with public key schemes at least there's usually a firmer theoretical basis for determining the security since its based on well-known and well studied number theory problems. RSA by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers nb. factorization takes O(e log n log log n) operations (hard) RSA Key Setup each user generates a public/private key pair by: selecting two large primes at random - p, q computing their system modulus N=p.q 3
note ø(n)=(p-1)(q-1) selecting at random the encryption key e where 1<e<ø(N), gcd(e,ø(n))=1 solve following equation to find decryption key d e.d=1 mod ø(n) and 0 d N publish their public encryption key: KU={e,N} keep secret private decryption key: KR={d,p,q} This key setup is done once (rarely) when a user establishes (or replaces) their public key. The exponent e is usually fairly small, just must be relatively prime to ø(n). Need to compute its inverse to find d. It is critically important that the private key KR={d,p,q} is kept secret, since if any part becomes known, the system can be broken. Note that different users will have different moduli N. RSA Use to encrypt a message M the sender: obtains public key of recipient KU={e,N} computes: C=Me mod N, where 0 M<N to decrypt the ciphertext C the owner: uses their private key KR={d,p,q} computes: M=Cd mod N note that the message M must be smaller than the modulus N (block if needed) Why RSA Works because of Euler's Theorem: aø(n)mod N = 1 where gcd(a,n)=1 in RSA have: N=p.q ø(n)=(p-1)(q-1) carefully chosen e & d to be inverses mod ø(n) hence e.d=1+k.ø(n) for some k hence : Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q = M1 = M mod N RSA Example 1. Select primes: p=17 & q=11 2. Compute n = pq =17 11=187 3. Compute ø(n)=(p 1)(q-1)=16 10=160 4. Select e : gcd(e,160)=1; choose e=7 5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23 7=161= 10 160+1 6. Publish public key KU={7,187} 7. Keep secret private key KR={23,17,11} Here walk through example using trivial sized numbers. Selecting primes requires the use of primality tests. Finding d as inverse of e mod ø(n) requires use of Inverse algorithm (see Ch4) 4
sample RSA encryption/decryption is: given message M = 88 (nb. 88<187) encryption: C = 887 mod 187 = 11 decryption: M = 1123 mod 187 = 88 RSA Key Generation users of RSA must: determine two primes at random - p, q select either e or d and compute the other primes p,q must not be easily derived from modulus N=p.q means must be sufficiently large typically guess and use probabilistic test exponents e, d are inverses, so use Inverse algorithm to compute the other Both the prime generation and the derivation of a suitable pair of inverse exponents may involve trying a number of alternatives, but theory shows the number is not large. RSA Security three approaches to attacking RSA: brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing ø(n), by factoring modulus N) timing attacks (on running of decryption) 5
Chapter 10 Key Management; Other Public Key Cryptosystems Key Management public-key encryption helps address key distribution problems have two aspects of this: distribution of public keys use of public-key encryption to distribute secret keys Distribution of Public Keys can be considered as using one of: Public announcement Publicly available directory Public-key authority Public-key certificates Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to email messages or post to news groups or email list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user Publicly Available Directory can obtain greater security by registering keys with a public directory directory must be trusted with properties: contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed 6
Public-Key Certificates certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key Public-Key Distribution of Secret Keys use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow 7
so usually want to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session Simple Secret Key Distribution proposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use problem is that an opponent can intercept and impersonate both halves of protocol Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970 is a practical method for public exchange of a secret key used in a number of commercial products The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. The concept had been previously described in a classified report in 1970 by James Ellis (UK CESG) - and subsequently declassified in 1987. a public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring) hard Diffie-Hellman Setup all users agree on global parameters: 8
large prime integer or polynomial q α a primitive root mod q each user (eg. A) generates their key chooses a secret key (number): xa < q compute their public key: ya = αxa mod q each user makes public that key ya The prime q and primitive root α can be common to all using some instance of the D-H scheme. Note that the primitive root α is a number whose powers successively generate all the elements mod q. Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create the y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard. Diffie-Hellman Key Exchange shared session key for users A & B is KAB: KAB = αxa.xb mod q = yaxb mod q (which B can compute) = ybxa mod q (which A can compute) KAB is used as session key in private-key encryption scheme between Alice and Bob if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys attacker needs an x, must solve discrete log The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime q=353 and α=3 select random secret keys: A chooses xa=97, B chooses xb=233 compute public keys: ya=397 mod 353 = 40 (Alice) yb=3233 mod 353 = 248 (Bob) compute shared session key as: KAB= ybxa mod 353 = 24897 = 160 (Alice) KAB= yaxb mod 353 = 40233 = 160 (Bob) Elliptic Curve Cryptography majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes Real Elliptic Curves 9
an elliptic curve is defined by an equation in two variables x & y, with coefficients consider a cubic elliptic curve of form y2 = x3 + ax + b where x,y,a,b are all real numbers also define zero point O have addition operation for elliptic curve geometrically sum of Q+R is reflection of intersection R Finite Elliptic Curves Elliptic curve cryptography uses curves whose variables & coefficients are finite have two families commonly used: prime curves Ep(a,b) defined over Zp use integers modulo a prime best in software binary curves E2m(a,b) defined over GF(2n) use polynomials with binary coefficients best in hardware There is no obvious geometric interpretation of elliptic curve arithmetic over finite fields. The algebraic interpretation used for elliptic curve arithmetic over does readily carry over, and this is the approach we take. Elliptic Curve Cryptography ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation need hard problem equiv to discrete log Q=kP, where Q,P belong to a prime curve is easy to compute Q given k,p but hard to find k given Q,P known as the elliptic curve logarithm problem Certicom example: E23(9,17) 10